Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Jul 2006 19:27:59 GMT
From:      Clément Lecigne <clem1@FreeBSD.org>
To:        Perforce Change Reviews <perforce@FreeBSD.org>
Subject:   PERFORCE change 100570 for review
Message-ID:  <200607041927.k64JRxAX080495@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=100570

Change 100570 by clem1@clem1_ipv6vulns on 2006/07/04 19:27:45

	Some improvements around icmpsicng.c (mainly for rtadvd and rtsol fuzzing)	

Affected files ...

.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/ChangeLog#2 edit
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/icmpsicng.c#3 edit

Differences ...

==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/ChangeLog#2 (text+ko) ====

@@ -1,8 +1,17 @@
+ISICNG (v0.0.2) 04/07/03, by Clément Lecigne (clem1@FreeBSD.org)
+    
+    o   Some new feature added to icmpsicng.c
+            o   new parameters related to packet size 
+                    -z minsize -Z maxsize -K multiple
+            o   support of icmp option for neighbor discovery 
+                related icmp message.
+            o   bug fix around checksum calculation.
+        
 
-ISICNG (v0.1)	06/07/03, by Clément Lecigne (clem1@FreeBSD.org)
+ISICNG (v0.0.1)	03/07/03, by Clément Lecigne (clem1@FreeBSD.org)
 
-	- Port of all *sic.c to IPv6
-        isicng.c supports IPv6 and extension headers fuzzing.
-        tcpsicng.c is used to exercise the `TCPv6 stack'.
-        udpsicng.c is used to exercise the `UDPv6 stack'.
-        icmpsicng.c is used to exercise the `ICMPv6 stack'.
+	o   Port of all *sic.c to IPv6
+            isicng.c supports IPv6 and extension headers fuzzing.
+            tcpsicng.c is used to exercise the `TCPv6 stack'.
+            udpsicng.c is used to exercise the `UDPv6 stack'.
+            icmpsicng.c is used to exercise the `ICMPv6 stack'.

==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/icmpsicng.c#3 (text+ko) ====

@@ -26,12 +26,18 @@
 main(int argc, char **argv)
 {
 	int c;
+    u_int a;
 	u_char *buf = NULL;
 	u_short	*payload = NULL;
 	u_int payload_s = 0;
 
 	struct libnet_icmpv6_hdr *icmp = NULL;
 
+    struct icmp_option_base_header {
+        u_int8_t type;
+        u_int8_t length;
+    } *icmp_opt;
+
 	/* libnet variables */
 	char errbuf[LIBNET_ERRBUF_SIZE];
 	libnet_t *l;
@@ -41,8 +47,8 @@
     struct libnet_ipv6_hdr *ip6;
     struct libnet_in6_addr ip_src, ip_dst;
 	u_int32_t flow;
-    u_int8_t tc, hl, ver, *nx, eo;
-    
+    u_int8_t tc, hl = 0, ver, *nx, eo;
+    u_int32_t maxsize, minsize, multiple;
     struct libnet_ipv6_frag_hdr *ip6f = NULL;
 
 #ifdef LIBNET_BSDISH_OS
@@ -74,13 +80,18 @@
     float ND        =   15;
     float RT        =   15;
     float NI        =   15;
+    float IcmpOpt   =   0;
+    
+    maxsize = 1279;
+    minsize = 128;
+    multiple = 1;
 
 	/* Not crypto strong randomness but we don't really care.  And this  *
 	 * gives us a way to determine the seed while the program is running *
  	 * if we need to repeat the results				     */
 	seed = getpid();
 
-	while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:V:F:I:T:R:E:U:M:O:N:W:vx:")) != EOF) 
+	while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:H:V:F:I:T:R:E:U:M:O:N:W:P:z:Z:K:vx:")) != EOF) 
     {
         switch (c) 
         {
@@ -93,6 +104,9 @@
             case 'R':
                 Redir = atof(optarg);
                 break;
+            case 'P':
+                IcmpOpt = atof(optarg);
+                break;
             case 'E':
                 Echo = atof(optarg);
                 break;
@@ -111,10 +125,22 @@
             case 'W':
                 NI = atof(optarg);
                 break;
+            case 'z':
+                minsize = atoi(optarg);
+                break;
+            case 'Z':
+                maxsize = atoi(optarg);
+                break;
+            case 'K':
+                multiple = atoi(optarg);
+                break;
             case 'h':
                 usage(argv[0]);
                 exit(0);
                 break;
+            case 'H':
+                hl = atoi(optarg);
+                break;
             case 'd':
                 dst_ok = 1;
                 if (strncmp(optarg, "rand", sizeof("rand")) == 0)
@@ -242,7 +268,7 @@
     if (smac == NULL)
         memcpy(buf + 6, libnet_get_hwaddr(l), 6);
     else
-        memcpy(buf + 6, smac, 6);
+        memcpy(buf + 6, libnet_mac2eth(smac), 6);
     memcpy(buf + 12, "\x86\xdd", 2);
     eo = 0xe;
 #else /* !BSD */
@@ -266,7 +292,7 @@
 	BadIPVer	/= 100;
 	FragPct		/= 100;
 	ICMPCksm	/= 100;
-    
+    IcmpOpt     /= 100;
     TooBig      /= 100;
     Redir       = Redir / 100 + TooBig;
     Echo        = Echo / 100 + Redir;
@@ -287,7 +313,8 @@
         off = eo;
         memset(buf + eo, 0x0, IP_MAXPACKET - eo);
 
-        hl = rand() & 0xff;
+        if (!hl)
+            hl = rand() & 0xff;
         flow = rand();
         tc = rand() & 0xff;
         
@@ -300,7 +327,9 @@
 			ver = rand() & 0xf;
 		else	ver = 6;
 
-		payload_s = rand() & 0x4ff;            /* length of 1279 */
+        do{
+            payload_s = (rand() % maxsize) + minsize;            /* length of 1279 */
+        }while (payload_s % multiple);
 
         /* build ipv6 header */
         ip6 = (struct libnet_ipv6_hdr *) (buf + off);
@@ -328,6 +357,7 @@
             ip6f->ip_frag = rand() & 0xffff;
             ip6f->ip_id = (rand() % 10) ? rand() : getpid();
             off += 8;
+            payload_s -= 8;
         }
 
         icmp = (struct libnet_icmpv6_hdr  *)(buf + off);
@@ -339,6 +369,7 @@
             icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff;
             icmp->icmp_mtu = rand();
             off += 8;
+            payload_s -= 8;
         }
         else if (what <= (RAND_MAX * Redir))
         {
@@ -354,6 +385,7 @@
             }
             icmp->icmp_dst = randipv6();
             off += 36;
+            payload_s -= 36;
             
         }
         else if (what <= (RAND_MAX * Echo))
@@ -362,6 +394,7 @@
             icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff;
             icmp->icmp_unused = rand(); /* seq + id */
             off += 8;
+            payload_s -= 8;
         }
         else if (what <= (RAND_MAX * Unreach))
         {
@@ -369,6 +402,7 @@
             icmp->icmp_code = (rand() % 2) ? rand() % 5 : rand() & 0xff;
             icmp->icmp_unused = (rand() % 2) ? 0 : rand();
             off += 8;
+            payload_s -= 8;
         }
         else if (what <= (RAND_MAX * MLD))
         {
@@ -384,6 +418,7 @@
                     icmp->icmp_mcast2[c] = rand() & 0xff;
             }
             off += 24;
+            payload_s -= 24;
         }
         else if (what <= (RAND_MAX * ND))
         {
@@ -398,6 +433,7 @@
                     icmp->icmp_target2[c] = rand() & 0xff;
             }
             off += 24;
+            payload_s -= 24;
         }
         else if (what <= (RAND_MAX * RT))
         {
@@ -408,6 +444,7 @@
                 /* solicitation msg */
                 icmp->icmp_unused = (rand() % 2) ? rand() : 0;
                 off += 8;
+                payload_s -= 8;
             }
             else
             {
@@ -417,7 +454,8 @@
                 icmp->icmp_rlf = rand() & 0xffff;
                 icmp->icmp_rct = rand();
                 icmp->icmp_rtt = rand();
-                off += 14;
+                off += 16;
+                payload_s -= 16;
             }
         }
         else if (what <= (RAND_MAX * NI))
@@ -429,30 +467,44 @@
             for (c = 0; c < 8; c++)
                 icmp->icmp_nonce[c] = rand() & 0xff;
             off += 14;
+            payload_s -= 14;
         }
         else
         {
             icmp->icmp_type = rand() & 0xff;
             icmp->icmp_code = rand() & 0xff;
             off += 4;
+            payload_s -= 4;
         }
-
-#ifdef LIBNET_BSDISH_OS
-        if ((payload_s - off + 0xe + 40) > payload_s)
-            payload_s = 0;
-        else
-            payload_s -= (off - 0xe - 40);
-#else /* !BSD */
-        if ((payload_s - off) > payload_s)
-            payload_s = 0;
-        else
-            payload_s -= (off - 40);
-#endif 
-
-		payload = (short int *)(buf + off);
-		for(cx = 0; cx <= (payload_s >> 1); cx+=1)
-				(u_short) payload[cx] = rand() & 0xffff;
-
+        
+        if (rand() <= (RAND_MAX * IcmpOpt))
+        {
+            while (payload_s >= 24)
+            {
+                icmp_opt = (struct icmp_option_base_header *)(buf + off);
+                icmp_opt->type = rand() % 5;
+                icmp_opt->length = (rand() % 2) + 1;
+                off += 2;
+                payload = (short int *)(buf + off);
+                for (a = 0; a < 6; a++)
+                    payload[a] = rand() & 0xff;
+                if (icmp_opt->length > 1)
+                {
+                    for (; (signed)a < 6 + ((icmp_opt->length - 1) * 8); a++)
+                        payload[a] = rand() & 0xff;
+                }
+                off += ((8 * icmp_opt->length) - 2);
+                payload_s -= (8 * icmp_opt->length);
+            }
+            /* padding */
+            payload = (short int *)(buf + off);
+            for (a = 0; a < payload_s; a++)
+                payload[a] = rand() & 0xff;
+        }else{
+            payload = (short int *)(buf + off);
+            for(cx = 0; cx <= (payload_s >> 1); cx+=1)
+                (u_short) payload[cx] = rand() & 0xffff;
+        }
 
 		if (rand() <= (RAND_MAX * ICMPCksm))
 			icmp->icmp_sum = rand() & 0xffff;
@@ -494,7 +546,7 @@
 		      - (tv.tv_usec - tv2.tv_usec) / 1000000.0;
 		if ((datapushed / sec) >= max_pushed)
 			usleep(10);	/* 10 should give up our timeslice */
-        usleep(500);
+        sleep(1);
 	}
 
 
@@ -514,17 +566,19 @@
 void usage(u_char *name)
 {
    fprintf(stderr,
-	"usage: %s [-v] [-D] -s <sourceip> -d <destination ip>"
+	"usage: %s [-v] -s <sourceip> -d <destination ip>"
 #ifdef LIBNET_BSDISH_OS
-   "-i <iface> -D <destination mac>\n       [-S <source mac>]"
+   " -i <iface> -D <destination mac>\n       [-S <source mac>]"
 #else /* !BSD */
    "[-i <iface>\n       "
 #endif
 	"       [-r seed] [-m <max kB/s to generate>]\n"
 	"       [-p <pkts to generate>] [-k <skip packets>] [-x <send packet X times>]\n"
+    "       [-z <minsize>] [-Z <maxsize>] [-K <size multiple>]\n"
 	"\n"
 	"       Percentage Opts: [-F frags] [-V Bad IP Version]\n"
-	"                        [-I Bad checksum>]\n"
+	"                        [-H hop limit] [-I Bad checksum]\n"
+    "                        [-P IcmpOpt]\n"
     "                        [-T Toobig] [-R Redirect] [-E Echo]\n"
     "                        [-U Unreach] [-M MLD] [-O Router]\n"
     "                        [-N Neighbor] [-W node info]\n"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607041927.k64JRxAX080495>